File name:

rustdesk-1.3.2-x86_64.exe

Full analysis: https://app.any.run/tasks/b6b50028-0d09-4bd7-8612-7002eea8f68f
Verdict: Malicious activity
Analysis date: November 13, 2024, 18:35:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rustdesk
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

AA6D18E1405A0BE5EFF04D419F9C6BBE

SHA1:

30ED558A8804B5F826A3CA4A1C2212DE58E6030A

SHA256:

465E3CC0BEFA33EF54DB3819D224E19CFFE684CFE687C76B43352F5BB9C2D87E

SSDEEP:

98304:0/NGp8rTDkqbevv6xCxzF7cAXMosAiUtFk18G0MJ6GJEe7vhVU2ZNTWLYoYeTjR+:dZNWIHhNyt7VHfhQKZtWS4v1mofMYZzy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 824)
      • rustdesk.exe (PID: 6368)
      • rustdesk.exe (PID: 3524)
      • rustdesk.exe (PID: 5564)
      • rustdesk.exe (PID: 3604)
      • rustdesk.exe (PID: 6960)
      • rustdesk.exe (PID: 4556)
      • rustdesk.exe (PID: 4476)
      • rustdesk.exe (PID: 7120)
      • rustdesk.exe (PID: 1332)

    • Create files in the Startup directory

      • cmd.exe (PID: 1112)

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6204)
      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • cmd.exe (PID: 1112)
      • cmd.exe (PID: 6952)

    • The process checks if it is being run in the virtual environment

      • rustdesk.exe (PID: 7116)

    • Executable content was dropped or overwritten

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • xcopy.exe (PID: 5276)

    • Process drops legitimate windows executable

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)

    • Starts CMD.EXE for commands execution

      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 824)
      • rustdesk.exe (PID: 3604)

    • Reads the date of Windows installation

      • rustdesk.exe (PID: 7116)

    • Reads the Windows owner or organization settings

      • rustdesk.exe (PID: 7116)

    • Connects to unusual port

      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 3604)

    • Executing commands from a ".bat" file

      • rustdesk.exe (PID: 824)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1112)

    • The executable file from the user directory is run by the CMD process

      • rustdesk.exe (PID: 6368)
      • rustdesk.exe (PID: 3524)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 1112)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1112)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 4040)
      • cscript.exe (PID: 6304)
      • cscript.exe (PID: 1732)

    • The process executes VB scripts

      • cmd.exe (PID: 1112)

    • Executes as Windows Service

      • rustdesk.exe (PID: 5564)
      • rustdesk.exe (PID: 6960)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 1112)

    • Application launched itself

      • rustdesk.exe (PID: 6960)
      • rustdesk.exe (PID: 3604)
      • rustdesk.exe (PID: 7116)

    • Starts itself from another location

      • rustdesk.exe (PID: 824)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1712)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1112)

  • INFO

    • Creates files or folders in the user directory

      • rustdesk.exe (PID: 7120)
      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 824)
      • rustdesk.exe (PID: 6368)
      • rustdesk.exe (PID: 3524)

    • Reads the computer name

      • rustdesk.exe (PID: 7120)
      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 7116)

    • Create files in a temporary directory

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 824)
      • cscript.exe (PID: 4040)
      • cscript.exe (PID: 6304)
      • cscript.exe (PID: 1732)

    • Checks supported languages

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 7120)

    • Reads Windows Product ID

      • rustdesk.exe (PID: 7116)

    • Reads Environment values

      • rustdesk.exe (PID: 7116)

    • Checks proxy server information

      • rustdesk.exe (PID: 7116)

    • Reads product name

      • rustdesk.exe (PID: 7116)

    • Reads the software policy settings

      • rustdesk.exe (PID: 7116)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1112)

    • The process uses the downloaded file

      • rustdesk.exe (PID: 824)

    • Creates files in the program directory

      • cmd.exe (PID: 1112)
      • xcopy.exe (PID: 5276)

    • Reads the machine GUID from the registry

      • rustdesk.exe (PID: 7116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:29 02:48:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 367616
InitializedDataSize: 21467136
UninitializedDataSize: -
EntryPoint: 0x4ab38
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.2.0
ProductVersionNumber: 1.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: RustDesk
OriginalFileName: rustdesk.exe
LegalCopyright: Copyright © 2024 Purslane Ltd. All rights reserved.
FileVersion: 1.3.2
ProductVersion: 1.3.2
FileDescription: RustDesk Remote Desktop
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
80
Malicious processes
7
Suspicious processes
10

Behavior graph

Click at the process to see the details
start rustdesk-1.3.2-x86_64.exe taskkill.exe no specs conhost.exe no specs rustdesk.exe cmd.exe no specs rustdesk.exe no specs conhost.exe no specs taskkill.exe no specs rustdesk.exe no specs cmd.exe conhost.exe no specs chcp.com no specs sc.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs rustdesk.exe no specs reg.exe no specs rustdesk.exe no specs chcp.com no specs xcopy.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs sc.exe no specs sc.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs rustdesk.exe reg.exe no specs cmd.exe no specs rustdesk.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs rustdesk.exe no specs timeout.exe no specs taskkill.exe no specs rustdesk.exe

Process information

PID
CMD
Path
Indicators
Parent process
616"taskkill" /F /IM RuntimeBroker_rustdesk.exeC:\Windows\System32\taskkill.exerustdesk-1.3.2-x86_64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
616sc stop RustDeskC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
616timeout /t 2 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
824"C:\Users\admin\AppData\Local\rustdesk\.\rustdesk.exe" --installC:\Users\admin\AppData\Local\rustdesk\rustdesk.exerustdesk.exe
User:
admin
Company:
Purslane Ltd
Integrity Level:
MEDIUM
Description:
RustDesk Remote Desktop
Exit code:
3221225547
Version:
1.3.2+51
920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
948\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1112"C:\Windows\System32\cmd.exe" /C C:\Users\admin\AppData\Local\Temp\RustDesk_install.batC:\Windows\System32\cmd.exe
rustdesk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1172reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v BuildDate /t REG_SZ /d "2024-10-29 02:36"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1332"C:\Program Files\RustDesk\RustDesk.exe"C:\Program Files\RustDesk\rustdesk.exe
cmd.exe
User:
admin
Company:
Purslane Ltd
Integrity Level:
MEDIUM
Description:
RustDesk Remote Desktop
Version:
1.3.2+51
1376reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayIcon /t REG_SZ /d "C:\Program Files\RustDesk\RustDesk.exe"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
15 008
Read events
14 991
Write events
17
Delete events
0

Modification events

(PID) Process:(1376) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayIcon
Value:
C:\Program Files\RustDesk\RustDesk.exe
(PID) Process:(6720) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayName
Value:
RustDesk
(PID) Process:(6724) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayVersion
Value:
1.3.2
(PID) Process:(3744) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Version
Value:
1.3.2
(PID) Process:(1172) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:BuildDate
Value:
2024-10-29 02:36
(PID) Process:(6420) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:InstallLocation
Value:
C:\Program Files\RustDesk
(PID) Process:(4828) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Publisher
Value:
RustDesk
(PID) Process:(6956) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionMajor
Value:
1
(PID) Process:(7084) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionMinor
Value:
3
(PID) Process:(4692) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionBuild
Value:
2
Executable files
36
Suspicious files
28
Text files
160
Unknown types
9

Dropped files

PID
Process
Filename
Type
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\data\app.so
MD5:
SHA256:
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\uni_links_desktop_plugin.dllexecutable
MD5:56C2429C80DEA2AB759ACE2F39B7AECA
SHA256:47D84CAFAF36E6AACD7B01065BCC8808D1D05F180721DE0D4C46B0EE59D46753
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\Temp\nwgC6D3.tmptext
MD5:90FEB8EDF41C48A02D0320766AFE6A4B
SHA256:70C7A70EEDD5B93E686AA0BC81BBA03D2E35228FF05BCDB3CC1EB3756E569B5C
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\file_selector_windows_plugin.dllexecutable
MD5:7792CD260F3C49F200B9200B83385927
SHA256:C310576A1A07A9A3CE776FFF810C339ABF6EAE2341440DDA3B7A962C12277F5C
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\desktop_drop_plugin.dllexecutable
MD5:823B73A4D1B2DC374EAA70A6FBCB6B5B
SHA256:F7DD9527704EDF5CC41863546CAADFE67F48A1C3A1BC103229542B36D8ED9BAF
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dllexecutable
MD5:99B57E645A7D163A82E3F359B934482F
SHA256:04C941BAFC0C9CC8FDB56BEBCA1744FB0B6B4BCDCED905A73CDFD08CBB8D0454
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\librustdesk.dllexecutable
MD5:C9B60ED38BD118796F3B4DA969D8849D
SHA256:A100E96FF8A1921F6DDF8EC54B64DE97F2912E56622447FB07022852A1033764
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\screen_retriever_plugin.dllexecutable
MD5:7C6EFC7FEDAA888870280FCBD186F5F7
SHA256:0B32C3C19706075389CD8A947C3202E7E24A74D99EF22BD8E5CA4BDE2B1F762C
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dllexecutable
MD5:54F8ADE603E173D003DECEA3A4FC1270
SHA256:7DE3F7AB8BD9765CAF3C7754A71B764A0341FA473F9482BBCA38DE832F69EF51
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\flutter_windows.dllexecutable
MD5:92CC98C72A6A442C7FF966DE4B8DD633
SHA256:0CCD6003144CA76034A6FE92C4BE58039C41F642EE0916CBCDD62FEA916808C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
33
DNS requests
11
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/rustdesk/rustdesk/releases/latest
unknown
unknown
6944
svchost.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3396
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/rustdesk/rustdesk/releases/latest
unknown
unknown
POST
204
104.126.37.178:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
140.82.121.4:443
https://github.com/rustdesk/rustdesk/releases/tag/1.3.2
unknown
html
192 Kb
shared
POST
204
104.126.37.152:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
140.82.121.4:443
https://github.com/rustdesk/rustdesk/releases/tag/1.3.2
unknown
html
192 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3396
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3396
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
rs-ny.rustdesk.com
  • 209.250.254.15
malicious
github.com
  • 140.82.121.4
shared
www.bing.com
  • 2.23.209.139
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.155
  • 2.23.209.150
  • 2.23.209.141
  • 2.23.209.161
  • 2.23.209.149
  • 2.23.209.154
whitelisted
self.events.data.microsoft.com
  • 52.168.112.67
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO RustDesk Relay Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO RustDesk Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO RustDesk Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO RustDesk Relay Domain in DNS Lookup
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rustdesk-1.3.2-x86_64.exe